Hi I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization. There are 6 NICs in this Xen Host. The interface names in Dom 0 are: eth0 - xenbr0 - reserved for Dom 0 Host Management Administration eth1 - xenbr1 - reserved for Virtual Machine #1 eth2 - xenbr2 - reserved for Virtual Machine #2 eth3 - xenbr3 - reserved for Virtual Machine #3 eth4 - xenbr4 - reserved for Virtual Machine #4 eth5 - xenbr5 - reserved for Virtual Machine #5 How should I configure shorewall in this case of multiple nics, each nic being dedicated to a Virtual Machine? Thank you. Mr Teo ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Teo En Ming wrote:>I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization. >There are 6 NICs in this Xen Host. > >The interface names in Dom 0 are: > >eth0 - xenbr0 - reserved for Dom 0 Host Management Administration >eth1 - xenbr1 - reserved for Virtual Machine #1 >eth2 - xenbr2 - reserved for Virtual Machine #2 >eth3 - xenbr3 - reserved for Virtual Machine #3 >eth4 - xenbr4 - reserved for Virtual Machine #4 >eth5 - xenbr5 - reserved for Virtual Machine #5 > >How should I configure shorewall in this case of multiple nics, each >nic being dedicated to a Virtual Machine?You have two main options : 1) You could run shorewall in the Dom-0 and configure policies/rules as required. 2) You don''t bother trying to filter at the Dom-0 bridge level, but instead run Shorewall on each VM - and that simply means using the single interface config examples. Each VM will simply have a single ''eth0'' and the single interface config examples should work without modification. I would do the latter, it''s far easier to set up, plus your firewalling is configured per VM and it''s easier than keeping track of firewall rules running on a ''machine'' that is different to the machine the services are hosted on. As for protecting the Dom-0, you can again run Shorewall and follow the single interface examples - just using eth0 and not assigning IP addresses to any of the vif0.n interfaces. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hi Thank you for your reply. I was just thinking it might be too complicated to define zones, policies and rules if i am to do firewalling at the Dom 0 level. It would be too complex as I have six network cards and six ethernet bridges at the Dom 0 level. Just to confirm your point #2: Dom 0 - eth0 / xenbr0 only - eth0 configured as 192.168.1.1 for management purposes. This will be the only interface for Dom 0. Firewalling in Dom 0 is only for eth0. Perhaps open ports for ssh only. eth1 / xenbr1 - no IP address configured in Dom 0 - reserved for virtual machine Dom 1 eth2 / xenbr2 - no IP address configured in Dom 0 - reserved for virtual machine Dom 2 eth3 / xenbr3 - no IP address configured in Dom 0 - reserved for virtual machine Dom 3 eth4 / xenbr4 - no IP address configured in Dom 0 - reserved for virtual machine Dom 4 eth5 / xenbr5 - no IP address configured in Dom 0 - reserved for virtual machine Dom 5 Thus I will configure IP address for the virtual eth0 inside virtual machines and do firewalling for eth0 inside VMs. Hope I understood correctly. When I configured Dom 1 as 192.168.1.2/255.255.255.0, I couldn''t ping Dom 1 from Dom 0. Similarly, I could not ping Dom 0 from Dom 1. I get Destination Host Unreachable error messages. Any fix? Thank you. On 7/30/07, Simon Hobson <linux@thehobsons.co.uk> wrote:> > Teo En Ming wrote: > > >I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization. > >There are 6 NICs in this Xen Host. > > > >The interface names in Dom 0 are: > > > >eth0 - xenbr0 - reserved for Dom 0 Host Management Administration > >eth1 - xenbr1 - reserved for Virtual Machine #1 > >eth2 - xenbr2 - reserved for Virtual Machine #2 > >eth3 - xenbr3 - reserved for Virtual Machine #3 > >eth4 - xenbr4 - reserved for Virtual Machine #4 > >eth5 - xenbr5 - reserved for Virtual Machine #5 > > > >How should I configure shorewall in this case of multiple nics, each > >nic being dedicated to a Virtual Machine? > > You have two main options : > > 1) You could run shorewall in the Dom-0 and configure policies/rules > as required. > > 2) You don''t bother trying to filter at the Dom-0 bridge level, but > instead run Shorewall on each VM - and that simply means using the > single interface config examples. Each VM will simply have a single > ''eth0'' and the single interface config examples should work without > modification. > > I would do the latter, it''s far easier to set up, plus your > firewalling is configured per VM and it''s easier than keeping track > of firewall rules running on a ''machine'' that is different to the > machine the services are hosted on. > > As for protecting the Dom-0, you can again run Shorewall and follow > the single interface examples - just using eth0 and not assigning IP > addresses to any of the vif0.n interfaces. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Mon, 2007-07-30 at 17:17 +0800, Teo En Ming wrote:> Hi > > I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization. There > are 6 NICs in this Xen Host. > > The interface names in Dom 0 are: > > eth0 - xenbr0 - reserved for Dom 0 Host Management Administration > eth1 - xenbr1 - reserved for Virtual Machine #1 > eth2 - xenbr2 - reserved for Virtual Machine #2 > eth3 - xenbr3 - reserved for Virtual Machine #3 > eth4 - xenbr4 - reserved for Virtual Machine #4 > eth5 - xenbr5 - reserved for Virtual Machine #5 > > How should I configure shorewall in this case of multiple nics, each > nic being dedicated to a Virtual Machine?I recommend that you use a routed Xen configuration rather than a bridged configuration. Then follow (more or less) http://www.shorewall.net/XenMyWay-Routed.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Mon, 2007-07-30 at 12:16 +0100, Simon Hobson wrote:> > As for protecting the Dom-0, you can again run Shorewall and follow > the single interface examples - just using eth0 and not assigning IP > addresses to any of the vif0.n interfaces.He would still need to define each bridge as its own dummy zone with ''routeback'' and possibly ''dhcp'' (and ''bridge'', if using Shorewall-perl). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Teo En Ming wrote:>Just to confirm your point #2: > >Dom 0 - eth0 / xenbr0 only - eth0 configured as ><http://192.168.1.1>192.168.1.1 for management purposes. This will >be the only interface for Dom 0. Firewalling in Dom 0 is only for >eth0. Perhaps open ports for ssh only. > >eth1 / xenbr1 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 1 >eth2 / xenbr2 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 2 >eth3 / xenbr3 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 3 >eth4 / xenbr4 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 4 >eth5 / xenbr5 - no IP address configured in Dom 0 - reserved for >virtual machine Dom 5 > >Thus I will configure IP address for the virtual eth0 inside virtual >machines and do firewalling for eth0 inside VMs. > >Hope I understood correctly.Yes, that''s exactly what I meant.>When I configured Dom 1 as ><http://192.168.1.2/255.255.255.0>192.168.1.2/255.255.255.0, I >couldn''t ping Dom 1 from Dom 0. Similarly, I could not ping Dom 0 >from Dom 1. I get Destination Host Unreachable error messages. Any >fix?Bear in mind I''m a Xen newbie as well ... Are the relevant ethernet cards all connected to the same switch ? Don''t forget that the way you have this set up, inter-domain traffic will go out through one physical port, through an external switch, and back in via a different physical port. I would also test it for traffic between dom-0 or a dom-u and an external device - ie make sure you can ping between dom-0 and an external device, and between dom-1 and an external device, etc. Also, something I found out last week while experimenting (I''m running a bridge in a dom-u doing traffic accounting for traffic to other dom-u''s behind it), dom-0 seems to need a vif in each bridge even if is''t not going to pass any traffic. In my case, I found that I had to add vif0.1 to xenbr1 and then xenbr1 started working. In your case, if you do "brctl show xenbr1" you should see peth1, vif0.1 and vif1.1 listed as members. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Hi Thank you for your reply. I read somewhere that the xen routed configuration is far more complicated than the xen bridged configuration. I could be wrong. I would like to keep the network configuration and firewalling simple at this time.I noticed that the network configuration that shipped with XenEnterprise 3.2.0 is also of a bridged type. On 7/30/07, Tom Eastep <teastep@shorewall.net> wrote:> > On Mon, 2007-07-30 at 17:17 +0800, Teo En Ming wrote: > > Hi > > > > I have a 64-bit server running RHEL 5 x86-84 Xen Virtualization. There > > are 6 NICs in this Xen Host. > > > > The interface names in Dom 0 are: > > > > eth0 - xenbr0 - reserved for Dom 0 Host Management Administration > > eth1 - xenbr1 - reserved for Virtual Machine #1 > > eth2 - xenbr2 - reserved for Virtual Machine #2 > > eth3 - xenbr3 - reserved for Virtual Machine #3 > > eth4 - xenbr4 - reserved for Virtual Machine #4 > > eth5 - xenbr5 - reserved for Virtual Machine #5 > > > > How should I configure shorewall in this case of multiple nics, each > > nic being dedicated to a Virtual Machine? > > I recommend that you use a routed Xen configuration rather than a > bridged configuration. Then follow (more or less) > http://www.shorewall.net/XenMyWay-Routed.html. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Oh ya I have completely failed to take into consideration that there are no virtual internal ethernet cross cables between the different VMs. Thanks for pointing it out. I will try it out with my hub tomorrow and also test with my laptop as an external device. On 7/30/07, Simon Hobson <linux@thehobsons.co.uk> wrote:> > > >When I configured Dom 1 as > ><http://192.168.1.2/255.255.255.0>192.168.1.2/255.255.255.0, I > >couldn''t ping Dom 1 from Dom 0. Similarly, I could not ping Dom 0 > >from Dom 1. I get Destination Host Unreachable error messages. Any > >fix? > > Bear in mind I''m a Xen newbie as well ... > > Are the relevant ethernet cards all connected to the same switch ? > Don''t forget that the way you have this set up, inter-domain traffic > will go out through one physical port, through an external switch, > and back in via a different physical port. I would also test it for > traffic between dom-0 or a dom-u and an external device - ie make > sure you can ping between dom-0 and an external device, and between > dom-1 and an external device, etc. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Teo En Ming wrote:> Hi > > Thank you for your reply. > > I read somewhere that the xen routed configuration is far more > complicated than the xen bridged configuration. I could be wrong. > > I would like to keep the network configuration and firewalling simple at > this time.I noticed that the network configuration that shipped with > XenEnterprise 3.2.0 is also of a bridged type.Sure -- it''s simple for people to configure the networking -- that''s why it is the default. But there is nothing simple about firewalling a bridged Xen Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/